But careful engineering actually plays a critical role in growing and maintaining customer trust. This is why we are incredibly happy to announce our SOC 2 certification for security and confidentiality. Here, we'll provide our roadmap to SOC 2 certification.

What is SOC 2 Anyways?

SOC 2 is one of the most sought after standards in security and compliance. It stands for System and Organization Controls, and encompasses everything from how you run your engineering systems, to HR processes like updating job descriptions and onboarding new hires.

SOC 2 represents the highest degree of excellence in systems and operations control. A company can pursue SOC 2 certification in different areas of their organization - Security, Availability, Processing Integrity, Confidentiality, and Privacy. In SOC 2 terms, these areas are called trust principles.

Step 1: Bring in Credible Outside Auditors

In order to examine your security standards with complete objectivity, you'll want to bring in a fresh set of eyes (and experts) to help map a path forward that ensures your product will be compliant and follow best practices for the future.

That’s where the auditors come in. At Nylas, we selected A-LIGN’s team to achieve SOC 2 certification.

The first step in the process is getting a sense of the distance between your current operational processes and SOC 2 compliant processes. A-LIGN asked our team hundreds of questions regarding the trust principles of security and confidentiality to identify what worked and what needed improvement.

A-LIGN gave us a proverbial snapshot of our current state of security and confidentiality. From there, it was up to us to figure out how to tweak or add security features to reach SOC 2 compliance.

Step 2: Select Security Criteria for Auditing

When pursuing SOC 2 compliance, you can select the pillars or criteria that you'd like to focus on. These include:

Security: Is your system protected against unauthorized access (physical and logical)?

Availability: Is your system is available for operation and use as you've agreed to with your customers?

Processing Integrity: How does your system process data, including all customer data and PII? Is it accurate, timely, and authorized?

Confidentiality: Do you protect confidential information as you've agreed to with your customers?

Privacy: Do you collect, retain, disclose, or delete personal data in compliance with your privacy policy, with the criteria set forth in the Generally Accepted Privacy Principles (GAPP)?

At Nylas, we chose to focus on the security and confidentiality certifications is because of our commitment to reliability, transparency, and accountability around how our API processes billions of emails, calendar, and contacts data. Security is always important, but it's even more paramount when dealing with email data. We wanted to assure our customers that we handle sensitive information properly and have built a rock solid processes to defend and secure that sensitive information.

Simply maintaining security practices isn't enough- you have to make sure that each security measure is well-documented and that there’s a team transparently evaluating the performance of that infrastructure.

Step 3: Building a Roadmap to SOC 2 Compliance

After meeting with your auditor, you'll want to build a roadmap to achieve SOC 2 compliant systems and processes. It's a true cross-functional, multi-week project that requires a lot of hands-on time.

Once you've built out SOC 2 compliant processes, follow them religiously as if the credibility of your company depends on it (hint: it does). These processes will cover everything from ensuring that there’s tiered access to PII data, to protecting your company's internal confidential data.

For example, if it’s your first day on the job as a designer, it’s unlikely you’ll need to review sensitive customer data. Building tiered account access ensures that you cannot access customer data unless it’s material to your job. The principle of information security must be backed up by a system to enforce it. That system has to be followed to the letter, every time.

Step 4: The Formal Audit

A few months later, your auditor will do a formal audit to see how you've built SOC 2 compliant systems and if you followed the proper processes managing those systems. Like before, you'll answer hundreds of questions about security and confidentiality. To prove that you actually follow these policies, we recommend submitting evidence that validated that you followed your established checks and balances. At the end of the audit, assuming all processes have been well-documented and follow, you'll be determined to be SOC 2 compliant in the criteria you selected!

Step 5: TheRoadAhead -- Certification, and Certification

The work isn't over after you've been certified. To maintain certification, you'll need to undergo regular annual audits to ensure that your security measures and documentation scale with your organization.

About Nylas: Our customers and their users send data to and receive data from Nylas. In that sense, Nylas functions like an API-powered bridge, connecting applications to businesses, businesses to customers, customers to their favorite companies. We’re making sure that bridge gets better every day. We’re working to become certified in additional trust principles, reviewing ISO27001 certification, while maintaining our current SOC 2 certification in future audits. SOC 2 compliance in security and confidentiality is just one critical step in that journey.

About Author

Tomasz Finc

Tomasz is the VP of Engineering at Nylas. He previously worked at Wikimedia and Amazon building agile teams and products. He studied at Berkeley and is often found chasing around his daughter.